On 4 Feb 2010, at 09:51, Felix Meschberger wrote: > Hi all, > > While working on some authentication handler stuff (integration Eric's > work and brushing up the OpenID handler), I started wondering, whether > we should not integrate a bare HTTP Basic Authentication handler into > the Sling Commons Auth bundle. > > By "bare" I mean, just support for sending 401 status back to the > client, not thrilling form support or such. Very simple: > > - extractCredentials: reads Authentication header if existing > - requestCredentials: sends 401 status > - dropCredentials: does nothing or also sends 401 status > > This handler would not be registered as a service but directly known to > the SlingAuthenticator class, which ensures this handler is always asked > as a last resort. > > As a consequence we could fade out support for the existing httpauth > bundle, since we would then have regular HTTP Basic auth in commons auth > and form based support in the new cookieauth handler and of course even > cooler stuff in the openid handler. > > WDYT ?
Would there be a configuration script to disable, I can imagine situations where there is a SSO solution and deployers positively want to disable basic auth, perhaps because they have Kerberos deployed or because of local policy and not entering passwords into anything other than the official SSO authN interface. Some Universities have policies like this. Ian > > Regards > Felix
